Seeking guidance on moving WAN phy on a live ha firewall pair

Started by Wolfspyre, May 01, 2024, 08:47:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 01, 2024, 08:47:32 PM
Hai all!

SO!
snazzy new internet upgrade happens... woohoo....
however now my firewall pair's wan interface is no longer fast enough to consume the additional bandwidth.

Fortunately, my firewall pair **DOES** have available and unutilized interfaces which ARE capable (copper 10G)
(I'm using the 10G SFP interfaces on it currently)

so in specific:

  • igb0 **Heartbeat**
  • igb1 **current WAN**
  • igb2 **secondary unconfigured wan ((project for tomorrowland/not in scope here))**
  • igb3 **virtual endpoint vlan**
  • ixl0 *currently unused*
  • ixl1 *currently unused*
  • ixl2 **LAGG0.0**
  • ixl3 **LAGG0.1**
  • lagg0 (many vlan interfaces for internal traffic)

so both firewalls have the above rough topology.

essentially I want to identify the least problematic way to accomplish the goal of

move everything interacting with the physical connection 'igb1' to the physical connection 'ixl0'

on the firewall pair.

I can certainly cease using the standby for a bit
(ie power it off to prevent wobbly bits from making things harder than they need to be while reconfiguring)

but I'm not sure what the best way forward is...

I have a couple ideas, but before grabbing the scissors, blindfold, and running shoes, It felt prudent to reach out here and ask what others' experience has been.

anyone have any guidance or experience they care to share?



May 01, 2024, 09:09:01 PM #1 Last Edit: May 02, 2024, 05:30:27 PM by Patrick M. Hausen
Schedule a maintenance window, then while connected from an internal interface go to

Interfaces > Assignments

change the WAN assignment from igb0 to ixl0, save, apply, done. I would reboot to be sure, hence the maintenance window.

That's the reason why there is an additional abstraction layer (Assignments) between IP addresses, rules, ... and physical interfaces. Everything configured for WAN will carry over, you are only changing the physical port.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 02, 2024, 05:28:13 PM #2
I'd **HOPED** it would be this simple; but you know how it goes.... there's almosty always .....
Wibbly bits.


'this mostly works, unless you have HA configured alongside _service-here_ and....'

kinds of things ;)

(For example,  if you set the heartbeat crossover interface to have an MTU > 1500 things can go kinda pear shaped)


appreciate the $.03. hopefully it'll be as straight forward as we want it to be ;)
Print
Go Up Pages1
User actions